Use of Blackhole continues to increase in 2012

News by Dan Raywood

Crimeware kits are losing market share to the Blackhole exploit kit.

Crimeware kits are losing market share to the Blackhole exploit kit.

According to AVG, the Blackhole toolkit was the toolkit of choice for cyber criminals in the first quarter of 2012, with its research showing that 70 per cent of attacks were performed by variants of Blackhole on average.

A sophisticated and powerful exploit kit, mainly due to its polymorphic nature and its code being deeply concealed to evade detection by anti-malware solutions, Blackhole therefore has a high success rate, said AVG.

Yuval Ben-Itzhak, CTO of AVG, told SC Magazine that the use of Blackhole was consistent into 2012 from 2011 and had been dominant for the past two years.

He said: “The Blackhole team are very accurate to update the kit with the latest exploits to offer malware and encryption and obfuscation to escape anti-virus. They are supplying the toolkit to others as the model is a security subscription to the toolkit.

“This is not the first time we are seeing this, but what we saw in 2008 was not as successful and the Blackhole team has followed from there.

“To use it, you subscribe by providing your credentials and install Blackhole on servers. Then you infect users who visit the servers. We are seeing them compromise legitimate websites, exploiting platforms such as WordPress. We think of this like an affiliate network, it is very similar.”

The recent 2011 top cyber security risks report from HP's Tipping Point labs said that Blackhole's popularity seems to be growing exponentially, and other new kits, such as Sakura Pack, Yang Pack and Siberia, have emerged with exploits for many recent vulnerabilities.

It also claimed that instances of compromised sites serving and/or redirecting to Blackhole sites over the past year grew dramatically, but despite using known, patched bugs from 2010 and before, it still achieved infection rates comparable to or better than other exploit kits tracked by HP DVLabs earlier in 2011.

Webroot security blogger Dancho Danchev said Blackhole is the most popular exploit kit as it offers encrypted malware and Javascript and iframe codes, and the creators have copies of anti-virus engines.

“They run it against the anti-virus engine and say ‘obfuscate it and the detection rate decreases',” he said.

“Personally I think the creators are one step ahead of the industry and aware of the latest technology.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews